[keycloak-dev] client query caches getting complicated

Stian Thorgersen sthorger at redhat.com
Thu Feb 18 08:56:25 EST 2016


On 18 Feb 2016 13:53, "Bill Burke" <bburke at redhat.com> wrote:
>
>
>
> On 2/18/2016 2:07 AM, Stian Thorgersen wrote:
>>
>> Having two many joins (fetching everything about a realm in one query)
is probably going to be bad for performance, especially if there are loads
of clients and roles. There can also be large difference between different
vendors.
>>
>> Another thing in the future we should separate clients out into a
separate store. There could be thousands of clients or even more. So they
should be treated in a similar fashion to users. Does that have impact on
how we improve/refactor/fix caching now?
>>
>
> As I said before, OIDC logout queries *ALL* clients to obtain a list of
valid redirects to compare against the redirect-uri passed to the logout
endpoint.  That's about the only very frequent, non-adminstrative function
that requires obtaining a list of all clients.  We also really need a way
to figure out of a realm invalidation is the result of the realm being
removed or just updated.  Otherwise, you'll be evicting thousands of
clients and other realm related items every time a realm is updated.
Actually, maybe we're better off not evicting clients on a realm removal,
and just registering invalidations for every client in the realm instead.

Why does OIDC logout need to list all clients? It used to just get the
clients that had client sessions for the specific user session.

>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160218/4a60c6a2/attachment-0001.html 


More information about the keycloak-dev mailing list